Closed
Bug 801638
Opened 12 years ago
Closed 10 years ago
XSS: wiki.mozilla.org FormStart
Categories
(Websites :: wiki.mozilla.org, defect)
Websites
wiki.mozilla.org
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: curtisk, Unassigned)
References
()
Details
(Keywords: reporter-external, wsec-xss, Whiteboard: [site:wiki.mozilla.org] [dev=2015-02-05] [stage=2015-02-05] [prod=2015-02-05])
Hello,
My name is Siddhesh Gawde, I am a security researcher ,I have found one vulnerability on an sub-domain of mozilla
Details:
Type of issue: XSS
Browser: Mozilla Firefox v14.0.1
Operating System: Windows 7
Date of finding: 12/10/2012
Website Link: https://wiki.mozilla.org
Links:
The xss vuln is of post type here ,we need to post data here:
https://wiki.mozilla.org/Special:FormStart
Post data is :
page_name=xsss&namespace=&super_page=¶ms=1087794</script><script>alert(0)</script><"&form=11
This will get the alert box to pop up instantly !
I have attached image of the vulnerability (As proof) of the link which I have mentioned above.
If you need any other information about it then please let me know.
Eagerly waiting for your reply.
Thank you,
Siddhesh Gawde.
|
Reporter | |
Comment 2•12 years ago
|
||
Might this be a duplicate of the root issue that is behind bug 761114?
|
||
Updated•12 years ago
|
Whiteboard: [site:wiki.mozilla.org]
|
|
Reporter | |
Updated•12 years ago
|
Flags: sec-bounty-
|
||
Comment 4•10 years ago
|
||
I can't seem to reproduce this, but I might not be doing it right.
Is this still reproducible?
Flags: needinfo?(curtisk)
Flags: needinfo?(coolsiddheshgawade)
|
|
Reporter | |
Comment 5•10 years ago
|
||
I can't seem to repro either, this may have been addressed by the most recent wiki updates.
Flags: needinfo?(curtisk)
Not able to reproduce this one , the layout is changed completely.
Flags: needinfo?(coolsiddheshgawade)
Sorry i made a mistake while checking it acually.
I am still able to reproduce it.
poc: http://gyazo.com/adc71a0b73d750d96bf7e4ca4573b2ad
Request :
LINK:
https://wiki.mozilla.org/Special:FormStart
HEADERS:
Host: wiki.mozilla.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://wiki.mozilla.org/Special:FormStart
Cookie: __utma=132703880.484202267.1413400289.1413400289.1413468159.2; __utmz=132703880.1413468159.2.2.utmcsr=bugzilla.mozilla.org|utmccn=(referral)|utmcmd=referral|utmcct=/show_bug.cgi; optimizelySegments=%7B%222000810488%22%3A%22false%22%2C%222017550344%22%3A%22ff%22%2C%221994990450%22%3A%22none%22%2C%222011280991%22%3A%22direct%22%7D; optimizelyEndUserId=oeu1413467954737r0.04618477120119591; optimizelyBuckets=%7B%7D; __utmb=132703880.1.10.1413468159; __utmc=132703880; __utmt=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 50
POST DATA:
page_name=x&form=11&namespace=&super_page=¶ms='"></script><script>alert(0)</script><"
I am using mozilla v29
|
|
||
Comment 8•10 years ago
|
||
Ah, I can indeed reproduce that way. Thanks, Siddhesh.
|
|
||
Comment 9•10 years ago
|
||
This appears to still be present in the latest version of the extension:
https://git.wikimedia.org/blob/mediawiki%2Fextensions%2FSemanticForms/b4935cd735bdb8e67c6eb18661eedf511d3c8315/specials%2FSF_FormStart.php#L194
|
||
Comment 10•10 years ago
|
||
I just confirmed this, this is the first time I had seen it.
https://bugzilla.wikimedia.org/show_bug.cgi?id=72436 (I can add anyone from Mozilla who wants access, just need to know your user on our instance).
We'll get a patch out asap to fix the problem, and coordinate getting an official patch from the maintainers of that extension into the main repo, probably by next week.
|
|
||
Comment 11•10 years ago
|
||
(In reply to csteipp from comment #10)
> I just confirmed this, this is the first time I had seen it.
>
> https://bugzilla.wikimedia.org/show_bug.cgi?id=72436 (I can add anyone from
> Mozilla who wants access, just need to know your user on our instance).
I'm the same on there as here; please add me.
> We'll get a patch out asap to fix the problem, and coordinate getting an
> official patch from the maintainers of that extension into the main repo,
> probably by next week.
We push to our environments every Thursday, FWIW.
|
|
||
Comment 12•10 years ago
|
||
Gordon, I just added you to our bug.
The extension maintainer made a public patch for it (https://gerrit.wikimedia.org/r/#/c/168618/).
I don't have an SMW dev instance, but that should solve the issue.
|
|
||
Updated•10 years ago
|
Whiteboard: [site:wiki.mozilla.org] → [site:wiki.mozilla.org] [dev=2014-10-30]
|
||
Comment 13•10 years ago
|
||
With the upgrade of the semantic extensions (bug 1081712), this should be fixed.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
|
|
||
Comment 14•10 years ago
|
||
This is still broken:
https://wiki.mozilla.org/Special:FormStart?page_name=x&form=11&namespace=&super_page=¶ms='"></script><script>alert('this is still broken')</script><"
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
||
Updated•10 years ago
|
|
|
||
Comment 15•10 years ago
|
||
OK, SemanticForms has been upgraded to 3.1, and it looks like this is now fixed for real.
Group: websites-security
Status: REOPENED → RESOLVED
Closed: 10 years ago → 10 years ago
Resolution: --- → FIXED
|
|
||
Updated•10 years ago
|
Whiteboard: [site:wiki.mozilla.org] [dev=2014-10-30] → [site:wiki.mozilla.org] [dev=2015-02-05] [stage=2015-02-05] [prod=2015-02-05]
|
||
Updated•6 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•